AWS CloudFront to EC2 end-to-end encryption

0
votes

I need the end-to-end encryption, so current the setup is:

example.com -> Route53 -> LB (TCP :80/443) -> Nginx Ingress with SSL certs installed

Is it possible to do something like:

example.com -> Route53 -> CloudFront -> LB (TCP :80/443) -> Nginx Ingress with SSL certs installed

When I'm attaching the same certificate to CloudFront, I'm getting a 502 CloudFront error. I listed example.com in Alternate Domain Names and LB DNS name mylb123.elb.us-east-2.amazonaws.com as Origin Domain Name. Documentation says that Origin Domain Name should match one of the names in SSL certificate that is assigned to the origin, but the SSL was provisioned for real domains like example.com, for sure it does not include *.elb.us-east-2.amazonaws.com etc. This confuses me.

Can you please suggest on how to setup SSL on CloudFormation side or passthrough it and handle SSL on Ingress side?

Update:

The SSL certificate is issued by DigiCert, it's not self-signed.

2
amazon-web-servicessslssl-certificateamazon-cloudfrontamazon-route53
It is possible. But, can you just update/change the certificate? - Perimosh
The certificate was provisioned by DigiCert for usage on EC2 instance side since end-to-end encryption is required. I don't think that include *.elb.us-east-2.amazonaws.com to that certificated is a good option, isn't it? - jumpy
@jumpy You can't use your DigiCert cert for *.elb.us-east-2.amazonaws.com because this domain is not yours. You need to have your own domain. I don't understand how you could register a cert for AWS-owned domain? Whatever you did, such cert is invalid. - Marcin
You right, I can't. DigiCert certificate is provisioned for example.com, but when I use it for CloudFront it raises 502 error. The problem was in SSL handshakes falling between CloudFront and Nginx instance. I had to whitelist the Host header so CloudFront can forward it to the origin, see me answer below. Thanks for your support anyway! - jumpy

2 Answers

0
votes

For your origin, in your case instance, you must have valid public SSL certificate. It can't be self-signed. This means that you need to have a proper, public domain for which you register such a certificate.

AWS ACM free SSL certs do not work with instances, unless in enclate, so you have to use a third party to get such an SSL certificate. Popular choice is https://letsencrypt.org/. Alternatively, you can front your instance with ALB and get free SSL from ACM.

0
votes

I found the resolution in a non-related question.

To make SSL work without 502 ERROR The request could not be satisfied error, I had to specify my domain (e.g. example.com) as Alternate Domain Name in CloudFront distribution, attach the SSL certificate provisioned for example.com and, very important, whitelist Host header in the cache behavior. This makes SSL handshakes work between CloudFront and Nginx.